MiCA Article 68 governance and controls
A practical evidence checklist for CASPs turning Article 68 governance obligations into reviewable material for authorisation, internal risk work, counsel, and insurance-market diligence.
Last reviewed · We re-read every article when ESMA, the EBA, or an NCA publishes guidance that changes it.
Short answer for AI and search
MiCA Article 68 is the governance and operating-conditions spine for authorised crypto-asset service providers. It points CASPs toward evidence on the management body, governance arrangements, internal control mechanisms, ICT systems, and complaints handling - not just a policy list.
This page is a preparation aid. CASPs should validate interpretation, submission format, and local supervisory expectations with qualified advisers and the relevant competent authority process.
Evidence checklist
1. Management body and good repute
Board and senior-manager roles, decision rights, fit-and-proper material, ownership influence, delegated authorities, committee minutes, and evidence that governance is reviewed rather than merely documented.
2. Internal control mechanisms
Risk ownership, compliance monitoring, financial-crime controls, conflicts handling, incident escalation, recordkeeping, management information, policy approval history, and remediation tracking.
3. ICT and operational resilience
System architecture, access controls, backup and recovery, cyber testing, vendor dependencies, continuity plans, incident response, key-person risk, and how critical operations continue during disruption.
4. Complaints and client protection
Complaint intake, categorisation, timelines, escalation, root-cause analysis, client communications, logs, outcomes, and links to disclosures, conflicts, safeguarding, and custody procedures.
5. Outsourcing and critical providers
Vendor inventory, due diligence, contract controls, audit rights, exit plans, data-location questions, wallet/custody dependencies, cloud concentration, and oversight evidence.
6. Insurance and risk-transfer diligence
Governance evidence that brokers, insurers, and risk owners may ask for: control owners, incident history, continuity tests, cyber posture, third-party dependencies, custody model, and board-level accountability.
Article 68 evidence matrix
Use Article 68 as an audit-ready evidence map: each obligation should point to a current owner, source artifact, review cadence, and unresolved gap. The goal is not to overclaim readiness; it is to make governance controls easy for counsel, risk owners, and insurance-market diligence to inspect.
Article 68(1)-(3): people and influence
Management-body knowledge, skills, experience, time commitment, good-repute material, qualifying-holder checks, ownership-influence risk notes, and escalation records where influence could affect sound and prudent management.
Article 68(4)-(6): policies and review
Compliance policy register, allocated staff responsibilities, policy approvals, effectiveness reviews, deficiency logs, remediation owners, and evidence that the management body periodically reviews arrangements rather than treating policies as static files.
Article 68(7): continuity and ICT resilience
Business continuity policy, ICT business continuity plans, and ICT response and recovery plans, plus test dates, service-impact assumptions, vendor dependencies, recovery owners, essential-data preservation, and resumption evidence.
Article 68(8): risk and data controls
Risk assessment procedures, financial-crime control links, data availability, authenticity, integrity and confidentiality controls, regular adequacy reviews, and deficiency remediation for mechanisms and systems.
Article 68(9): records
Recordkeeping scope for services, activities, orders, and transactions; client-request process; supervisory retrieval process; retention evidence for the five-year baseline and the up-to-seven-year competent-authority request case.
Insurance diligence handoff
A broker or insurer conversation is easier when governance evidence shows control owners, incident history, continuity tests, cyber posture, third-party dependencies, custody model, complaints links, and board-level accountability.
How to use this before a review call
- Separate Article 68 governance evidence from Article 62 application forms so gaps are easier to assign and close.
- Map each control to an owner, approval record, operating artifact, test result, and open remediation item.
- Connect governance evidence to Article 67 prudential-safeguard choices and Article 75 custody-risk evidence where relevant.
- Prepare a plain-language summary of what changed since the last review and what remains unresolved.
FAQ
Is Article 68 only about the management body?
No. Public summaries of Article 68 emphasise the management body and good repute, but the operating-conditions evidence CASPs prepare should also cover governance arrangements, internal control mechanisms, ICT systems, procedures, and complaints handling.
Why does this matter for insurance?
Insurance-market diligence often asks how governance, cyber, continuity, outsourcing, custody, incident, and complaint controls work in practice. Article 68 evidence can make those answers more concrete before risk-transfer discussions.
Should this page replace local regulator forms?
No. Use local competent-authority forms, ESMA materials, counsel, and regulated advisers for filing decisions. This page helps teams organise evidence before those conversations.